Form replay
Since LemonLDAP::NG 0.9.4
Presentation
Form replay allows you to open a session on a
protected application by replaying the form POST without asking anything
to the user.
Warning: this
kind of SSO mechanism is not clean, and can lead to problems, like local
password blocking, local session not well closed, etc. Please always try
to find another solution to protect your application with LemonLDAP::NG.
How it works
If you configure form replay with LemonLDAP::NG,
the Handler will catch configured POST urls and send a POST query to the
target page (which can be different of the catched page). Each field can
be filled with static values or data from user's session (like $uid, $cn,
etc.).
LemonLDAP::NG can catch a GET request and
transform it internally in a POST request. All this works is transparent
for the user, he cannot see what data are posted by LemonLDAP::NG.
Replay user's
password
To post user's password, you should have set up
the
storePassword parameter. In this case
you will be able to use $_password to fill any password POST field.
Known limitations in LemonLDAP::NG
0.9.4
- POST configuration takes place in handler/MyHandler.pm
- POST does not work with mod_proxy: you must use a local Handler to
use it
Configuration
You should grab some informations:
- URI of the page which contains the form
- URI of the page which receive POST data
- All fields name and values
For example:
- Form page URI: /login.php
- POST data URI: /process.php
- Fields:
- login: $uid (uid of the user)
- password: $_password 'password of the user)
- static: 'StaticValue' (a static value)
- remember: '1' (checked box)
Then edit
handler/MyHandler.pm and
add:
post => {
'/login.php' => {
postUrl => '/process.php',
expr => 'login => $uid, password => $_password, static => StaticValue, remember => 1',
},
},
You can add other form replay inside post
configuration:
post => {
'/uri1' => {
…
},
'/uri2' => {
…
},
'/uri3' => {
…
},
},